Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Your Brain
  • Autorecon
  • Find neighbors: netdiscover
  • Masscan
  • gobuster
  • dirb
  • nikto
  • dirsearch
  • Wordpress Vuln Scanner - wpscan
  • cmsmap
  • wig
  • whatweb
  • Netcat Port Scanner
  • PowerShell Ping Sweep
  • Public Attack Surface
  • wget
  • uniscan

Was this helpful?

  1. 02 Scan

Dirb nikto wpscan etc

Your Brain

  • Investigate Clues:

  • /wordpress/ ... very fertile ground for an attack. User access = shell.

  • /phpmyadmin/ ... suggests there is a database ready to plunder.

  • /info.php .... gives us Kernel, hostname and OS information immediately.

Autorecon

  • multi-scan-tool runs nmap, gobuster, and more

sudo python3 autorecon.py $IP -o /home/beep/

Find neighbors: netdiscover

sudo netdiscover -r 192.168.10.0/24
netdiscover -r 192.168.10.0/24

Masscan

masscan -p22,80,443,445,1433,3389 --rate 15000 10.0.0.0/8
Fast enough, without causing DOS

1433 SQL
3389 RDP
If you run w/o 'rate', I will be too fast. Be careful

masscan pp0-65535 --rate 15000 --output-format binary --output-filename full.mass 10.0.0.0/8

-oL  ..List
-oJ  ..JSon
-oG  ..Grepable
-oB  ..Binary - fast but unreadable
-oX  ..XML
-oU  ..Unicorn

Convert Later:
masscan --read-scan full.mass --output-format xml --output-filename full.xml
masscan --read-scan full.mass --output-format grepable --output-filename full.txt

gobuster

  • If blocked, try dirsearch or burp

------------------------
locate common.txt  ..fast/ok
locate medium.txt  ..catches more

gobuster -u http://$IP -w medium.txt
gobuster dir -u http://$IP/admin -w ...
gobuster dir -u http://$IP/nibbleblog/admin/ -w -o gobuster.log
gobuster dir -u https://$IP/ -w ..medium.txt -k
gobuster dir -u https://$IP --noprogress --wordlist ..medium.txt -k
gobuster dir -u https://$IP -w ..medium.txt  -k -x php,txt,bak,conf

-f: flag appends / to end of directory 
-x: file extensions to search for
-o: output
-k: ignore SSL certificate warnings
-a: 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'

------------------------
Shellshock:
gobuster dir -u $IP -w medium.txt
gobuster dir -u $IP -f -w medium.txt
gobuster dir -u $IP/cgi-bin/ -w medium.txt -x sh,cgi,pl,py,php

dirb

dirb http://192.168.50.102
.. WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

dirb http://10.x.x.x/admin -w   ..to follow other paths

nikto

nikto -host http://10.137.114.39:1337/978345210/index.php

dirsearch

  • Alternative to gobuster

dirsearch -e txt,php -u http://$IP -w medium.txt -t 30 -f 
python3 /opt/dirsearch/dirsearch.py -u http://$IP -w medium.txt -e txt,php

Wordpress Vuln Scanner - wpscan

REF: Webapp Wordpress

wpscan --url 192.168.50.102

cmsmap

python cmsmap.py -t http://tartarsauce -f W -F --noedb

wig

  • WebApp Information Gatherer

python3 wig.py http://tartarsauce/

whatweb

whatweb http://tartarsauce/

Netcat Port Scanner

echo "" | nc -nvw2 10.10.10.60 20-80

PowerShell Ping Sweep

PS> 1..255 | % {echo ""10.10.10.$_""; ping -n 1 -w 100 10.10.10.$_ | select-string ttl}

Public Attack Surface

Rumble.run  - Internal network scanning
Shodan   - Public attack surface
Censys   - Public attack surface

Axonius  - Aggregate various platforms into one.

wget

> wget -q --server-response http://10.x.x.x
X-Powered-By: ASP.NET

uniscan

uniscan -u IP -qweds
PreviousBurpNextEnum Finger and Brute SSH

Last updated 2 years ago

Was this helpful?